The present disclosure relates generally to establishing a chain of trust in a system log, and more specifically, to a merging of multiple data streams, recording source and alteration information into a log of the merged data streams, and preserving this information through subsequent processing iterations.
In general, computer systems are constantly recording information about their operations in system logs. These system logs are used for a variety of uses, such as problem diagnosis, charge-back/billing, and security. Users require a mechanism that they can use to assure that a system log has not been modified. Specifically, users need to know that a log record has not been modified, added, or deleted.
Presents techniques that allow such assurance include writing a system log to a “write-once, read many” media (WORM), such as a compact disc read only memory, and digitally signing a content of the system log. However, a problem that is left unaddressed by these techniques is a need to assure that a record has not been altered after it has passed through one or more steps of system log merging, filtering, and/or modification. That is, because the merging, filtering, and/or modification of the system log alters its contents in a way that a final user of a final system log would not be aware, the final user has no way of immediately ascertaining system log alterations (i.e., to determine what records had been merged, filtered, and/or modified) without extensive review and reconciliation between a trusted copy of the source (e.g., WORM) and the final system log.